Recently my sister’s Facebook account got hacked. This was an actual hack where she received a malicious link that appeared to come from a friend. The link was allegedly a coupon code. I’m distinguishing here between this type of hack and the duplicate account that alleges to be you. That type of social engineering doesn’t actually affect your account, it’s targeted at your Facebook friends.
In my sister’s case, she lost control of her account. Twelve years of chats, photos, memories all gone in an instant. She contacted Facebook, but they would only send password reset information to the email associated with the account, which the hacker had changed immediately. Facebook would not check to see if the email had just been changed. They would not try to confirm her identity in any other way. They were as unhelpful as a mega corporation could be.
The best actions for protecting your Facebook account must be taken in advance. After the fact recovery may not be possible. While Facebook may have all your personal data, they do not have your back.
What to do? Use a good unique password. Enable Two Factor Authentication (2FA). Turn on login notifications.
A good password contains a variety of letters, numbers, and special characters, but more important than good is unique. The password you use for Facebook should only be used for Facebook. You should never enter that password anywhere except to login into Facebook, and even then, check multiple times to be sure it’s actually Facebook. If in doubt, go to the search bar in your browser and type in facebook.com.
2FA. You’ve probably already come across this in other places. Turn it on. It means someone with your password cannot log in without 2FA as well. Facebook’s implementation is very unobtrusive in that it remembers your browser and doesn’t make you authenticate from known locations.
When you set it up, it’ll ask if you want to save the browser you’re in. If it’s a public, work, or shared computer, you will probably want to say no. Once saved it won’t keep asking you on that browser.
You can setup 2FA in your Security and Login Settings in Facebook It will give you the option of using a third-party app like Google Authenticator or get a text message on your phone. It’s up to you which one works better. You can also download 10 recovery codes to use if you can’t get text messages or your authenticator app to work.
Login notifications are notifications to you that someone unrecognized has logged in. It’s set up in the same place as 2FA. With notifications setup to email you, you’ll receive an email asking if it was you, when someone unknown logs in. If you answer [This wasn’t me] Facebook will help you reset your password.
Remember you have to take these steps before your account is compromised, not after.